Getting Started Guide

If you’re not a legal professional, getting your website or app to be compliant with international privacy laws can be tedious and difficult. iubenda provides several comprehensive and customizable solutions that you can seamlessly integrate into your website or app.

What you need to know

Legal Requirements

Under the vast majority of legislations, it is required to disclose data collection and to implement a method of receiving consent or facilitating its withdrawal. Failure to adhere to these laws can result in hefty fines, leave you open to litigation and negatively affect the credibility of your website or app.

By law:

Users need to be informed about website/app owner details, what data is being collected, their rights in regards to that data, your notification process for policy changes, the effective date of the policy and third-party access to their data (for example, third-party widgets, social buttons, ad service integrations etc). They also need to be informed about your general conditions (including sales conditions).

Users need to be able to give, decline or withdraw consent (depending on the regional law). In the US, the law generally requires that you give users a clear option for withdrawing consent (opt-out). Different rules apply, however, in cases involving “sensitive data” (e.g. health information, credit reports, student data, personal information of children under 13). In such cases, there must be a verifiable opt-in action such as checking a box or some other affirmative action. Compared to the US regulations, EU law (in particular the GDPR) is more stringent when it comes to consent. Consent under the GDPR, must be “explicit and freely given”. This means that the mechanism for acquiring consent must be unambiguous and involve a clear “opt-in” action (the regulation specifically forbids pre-ticked boxes and similar “opt-out” mechanisms). The regulation also gives a specific right to withdraw consent; it must be as easy to withdraw consent as it is to give it. Because consent under the GDPR is such an important issue, it’s vital that you keep clear records related to the consent attained.

Users need to be informed about cookie use and given the option to consent or decline. Also related to consent, the ePrivacy Directive or the Cookie Law requires users’ informed consent before storing cookies on a user’s device and tracking them.

It’s useful to remember that under GDPR regulations consent is not the ONLY reason that an organization can process user data; it is only one of the “Lawful Bases”, therefore companies can apply other lawful (within the scope of GDPR) bases for data processing activity. However, there will always be data processing activities where consent is the only or best option.

Generally, these laws apply to any service targeting residents of the region, which effectively means that it’ll most likely apply to your business whether the organization or web servers are located in the region or not. See more information on legal requirements here.

Third-party Requirements

Since most third-party apps and services also need to follow the law, they may require that websites & apps meet regulatory standards.

One example is Google. In order to access certain services and tools (for example, AdSense, Google Analytics, Google Play store), Google requires that you have a comprehensive and up-to-date privacy policy in place. Here’s an excerpt from the Google Analytics terms of use:

“You must post a Privacy Policy and that Privacy Policy must provide notice of Your use of cookies that are used to collect traffic data, and You must not circumvent any privacy features (e.g, an opt-out) that are part of the Service.”

From time to time third party requirements can change in response to internal or regional regulations. It’s often necessary that your policies meet the latest requirements in order to avoid interruption of service. For this reason, we use embedding and NOT copy & paste. With this method, you can rest assured that your policy is up to date and being maintained remotely by our legal team.

You can read more about Google’s requirements here and here.
You can read more about Apple’s requirements here and here.

How iubenda can help

iubenda’s approach to compliance

Here at iubenda, we believe in the importance of a comprehensive approach to data law compliance. We keep track of the major legislations and build solutions with the strictest regulations in mind, giving you full options to customize as needed. This way, you can ensure that you meet your legal obligations (regardless of where your customers are located), reduce your risk of litigation and protect your customers —building trust and credibility.Read more about our features.

Here’s what you need to get started with full compliance:

Informing users about personal data with a privacy policy

As mentioned above, users must be informed about how you use their personal data. As such, privacy policies are legally required almost everywhere in the world. This legal document should state the ways in which your website or app collects, processes, stores, shares and protects user data, the purposes for doing so and the rights of the users in that regard.

Our Privacy Policy Generator is affordable, available in several languages, lawyer crafted, customizable and self-updating (as it’s monitored remotely by our lawyers). It easily allows you to create a beautiful, precise privacy policy and seamlessly integrate it with your website or app. You can simply add any of several pre-created clauses at the click of a button or easily write your own custom clauses. The privacy policy also comes with the option to include a cookie policy (it’s necessary to include it if your website or app is using cookies). The policies are customized to your needs and remotely maintained by a legal team.

Complying with the EU Cookie Law

Because using cookies means both processing user data and installing files used for tracking, it is a major point of concern when it comes to user data privacy rights. For this reason, if you operate in the EU or could potentially have EU users, you need to comply with the Cookie Law. There are two parts to this:

Cookie policy, which you can find included as an option in the privacy policy generator mentioned above.

Our Cookie Solution complies with provisions of the European cookie law-banner management. It allows you to easily inform users and obtain their consent while including the option to block any scripts that install cookies without prior consent (which is required in many EU countries). It’s easy to run, fast and does not require heavy investments.

Internal Privacy Management

Meeting GDPR regulations can be a technical challenge to implement in practical terms. This is especially true for internal privacy management. In order to be compliant, you must be able keep track of and to describe:

which data you collect;

for which purposes it was collected;

the legal basis for processing;

data retention policy for each processing activity;

the parties involved (both inside and outside your organization);

security measures;

data transfer outside of the EU, if any; and

other related details which may apply company-wide, including data of employees.

Our solution helps you to easily record and manage all the data processing activity within your organization so that you can easily comply with requirements and meet your legal obligations. It allows you to create records of processing activity: add processing activities from 600+ pre-made options, divide them by area (sub-divisions within which data processing activities are the same), assign processors and other member roles, and to document legal bases and other GDPR-required records.

Please note: As mentioned in this guide, full and extensive records of processing are typically required for organizations that handle “special categories of data” or have more than 250 employees, however there are some record-keeping requirements — such as which data you collect, it’s purpose, all parties involved in its processing and the data retention period — which are mandatory for everyone. Additionally, even though the GDPR is a common reason to put more effort into internal privacy management, our tool is not exclusively made for application under the GDPR. It can also be used for internal privacy management in general, even by companies who do not have any users/customers within the EU.

For a list of the full features of the Internal Privacy Management tool click here or read the guide here.

Managing consent and maintaining detailed records related to it

In order to comply with privacy laws, especially the GDPR, companies need to store proof of consent so that they can demonstrate that consent was collected. These records must show:

when consent was provided;

who provided the consent;

what their preferences were at the time of the collection;

which legal or privacy notice they were presented with at the time of the consent collection; and

which consent collection form they were presented with at the time of the collection.

Our Consent Solution simplifies this process by helping you to easily store proof of consent and manage consent and privacy preferences for each of your users. It allows you to track every aspect of consent (including the legal or privacy notice and the consent form that the user was presented with at the time of consent collection) and the related preferences expressed by the user.

To use, simply activate the Consent Solution and get the API key, then install via HTTP API or JS widget and you’re done; you’ll be able to retrieve consents at any time and keep them updated.

Help

Country

The software, materials and assistance provided by iubenda have the only purpose of helping users with compliance regarding their legal requirements. In particular, the templates iubenda provides are generated automatically, yet every word of our template has been written and continuously revised by a skilled legal team. However, as can be easily understood, nothing can substitute a professional legal consultancy in the drafting of your privacy policy, cookie policy or of any other legal document or compliance procedure. Our service does its best to provide you with a starting point, like an extremely sophisticated templates book, but even if we strive to provide the best assistance possible, we cannot guarantee any conformity with the law, which only a lawyer can do. Nothing on this site, therefore, shall be considered legal advice and no attorney-client relationship is established. Please note that in some cases, depending on your legislation, further actions may be required to make your activity compliant with the law.